WordPress site admins urged to update immediately

Millions of websites running WordPress are being strongly urged to update to the latest version of the popular content management system as soon as possible to prevent website takeovers after a serious security vulnerability was uncovered.

On Tuesday, WordPress announced the launch of version 4.8.3 as a security release which mitigates the security flaw.

“Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update.”

The advice comes from the WordPress Foundation and Anthony Ferrara, VP of engineering at Lingo Live, who discovered the WordPress flaw that allows attackers to trigger an SQL injection attack leading to complete website hijacking. The vulnerability was discovered in the versions 4.8.2 and below.

Ferrara published technical details about the flaw and explained that it was initially discovered by someone else months ago.

“WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability,” the Foundation explained.

Ironically, the release last month of WordPress 4.8.2 was intended to protect against the vulnerability, but – according to Ferrera – it actually “broke a lot of sites” and “didn’t actually fix the root issue (but just a narrow subset of the potential exploits)”.

Subscribe to PHI via Email

Enter your email address to subscribe to PHI and receive notifications of new posts by email.

Join 1,478 other subscribers

Email Address

PROFESSIONAL HACKERS INDIA

We are proud to offer premier information security updates, IT updates, Core Tools And Techniques across the globe. Our mission is to make the internet more secure, more trendy, more aware and more reliable.